Cyber-security breaches occurring via third parties is a trend that is not likely to go away anytime soon.
In the past, companies might have been able to shield themselves from liability by pointing the finger at the third party who lost the data. That excuse doesn’t fly anymore, and there are plenty of recent examples to prove it.
Significant data breaches this year at TikTok/Instagram/YouTube; Australia’s P&N Bank; and General Electric, to name a few, shared a common thread: Hackers managed to enter their systems and steal their data through a cyber-security vulnerability in a third party.
The release of customer information from the social media companies came via a defunct vendor called Deep Social. P&N Bank’s breach happened when criminals accessed customer data through a hosting company that was providing a server upgrade. Hackers successfully launched an email phishing scam against employees at a third party to gain access to GE employee information.
Regulators, particularly those in the European Union enforcing the General Data Protection Regulation (GDPR), have been unforgiving when it comes to third-party breaches. Recent U.K. Information Commissioner’s Office fines against British Airways, Marriott, and Ticketmaster were among the largest under the GDPR this year, and in each case, the companies held accountable said it was their third-party service providers that were at fault.
“You can outsource systems and services all you want, but you cannot outsource your risk.”
Kelly White, CEO, RiskRecon
“Companies have come to realize that their ecosystem of partners don’t have the same level of protections,” said Andrew Morrison, principal at Deloitte & Touche and leader of the firm’s Cyber Risk Services Strategy, Defense & Response division. The impact of a third-party cyber-security breach, and the risks associated with such breaches, “have increased tremendously,” he said.
Kelly White, CEO of RiskRecon, which provides cyber-security ratings to subscribers on thousands of third parties, summed up the situation like this: “You can outsource systems and services all you want, but you cannot outsource your risk.” If your third party loses your company’s data, he said, the company that owns the data will be found at fault by regulators, partners, customers, and the general public.
Establishing the ground rules
A first line of defense between your company and third-party data breaches can be found in the service agreement between the two parties. Morrison said companies should insist in writing to be notified of a breach as soon as reasonably possible but generally no later than 24 hours.
“It really is in the interest of the first party to be notified as quickly as possible about an incident,” he said. “It’s really hard to figure out if you have a problem without the notification.”
For crucial third parties, Morrison said companies would be smart to have a backup plan if a partner suffers a data breach and is suddenly unavailable. One way to accomplish that is to negotiate an agreement with a second bidder or vendor who can perform the same service. If one vendor is offline, the first party could then quickly pivot to the alternative vendor, he said.
One increasingly common fallout from data breaches that is often overlooked, Morrison said, is when other third parties may temporarily sever their connection with the company.
“Organizations need to have a plan for what to do when third parties refuse to work with them after a breach,” he said. Even third parties not connected to the breach may, out of an abundance of caution, unlink their system from the compromised company until they can be assured the risk has passed. The potential cascading loss of connection to third parties after a breach is a risk many companies have not prepared for, he said.
One solution for vetting third parties for a variety of risks was developed by the financial services industry. Five large financial institutions—American Express, Bank of America, Bank of New York Mellon, JPMorgan Chase, and Wells Fargo—created in 2017 a third-party risk management (TPRM) utility platform called TruSight. The platform “combines best practices and standardization to execute comprehensive risk assessments once and deliver to many over a secure, shared-services platform,” according to a description provided by the company.
It’s a TPRM model that could be applied to other heavily regulated industries like aerospace and defense, healthcare, or pharmaceuticals, said Jonathan Pressman, TruSight’s CEO.
“We developed our methodology through extensive engagement with financial services industry risk practitioners,” Pressman said. “We are also very engaged and supportive of third parties who we view as partners—these service providers feel a tremendous sense of responsibly and are overwhelmed by the bilateral requests to provide the necessary data to help their financial services customers meet their regulatory obligations.”
Another potential cyber-security vulnerability lies with subcontractors who service third parties—in TPRM terms, fourth parties, fifth parties, and on down the line.
A company should restrict access to its critical systems by subcontractors and closely monitor any systems subcontractors do have access to, Morrison said.
Pressman said an area of emerging concern in the financial services industry is gaining access to risk data from cloud service providers supporting a third party that is providing a service, like an application or software developer. (Cloud service providers like Microsoft Azure, AWS, or Google Cloud are technically a fourth party in that scenario).
“The financial institutions want to know, ‘What and how are the controls deployed in the cloud?’” Pressman said.
Monitoring for third-party cyber-security risks
Companies are struggling to identify cyber-security risks through traditional means like questionnaires, according to a recent survey of 154 TPRM practitioners by RiskRecon.
The survey, “The State of Third Party Risk Management 2020,” found nearly all of the practitioners polled—84 percent—use security questionnaires to assess their third parties’ cyber-security measures.
But the survey found only 1 in 3 (34 percent) TPRM specialists actually believe the questionnaire responses they receive from third parties.
Third parties often check the box on questionnaires and claim, for example, to be regularly patching their computer software, using web encryption, and monitoring their online systems for potential attacks, White said. But in reality, they may not be as diligent as they claim to be.
The RiskRecon survey found “81 percent of programs report that at least 75 percent of their vendors pass their security questionnaires with no exceptions, claiming perfect compliance to requirements.” But the report also found only 14 percent of professionals are “highly confident that vendor security performance truly does meet the requirements outlined in the questionnaire.”
That’s a huge disconnect, particularly since the report found of the median 50 third parties the TPRM specialists assess every year, 31 percent of them are considered a material risk in the event of a breach.
White called security questionnaires “a necessary tool” that, by themselves, are likely not enough to measure a third party’s cyber-security vulnerabilities.
So, what are some other ways to assess, monitor, and mitigate your third party’s cyber-security risks?
The RiskRecon survey found TPRM specialists enhanced their evaluation of third parties with documentation review (69 percent), remote assessments (50 percent), cyber-security ratings (42 percent), and onsite assessments (35 percent). Four percent of those surveyed reported they do not perform assessments.
The survey found nearly all of the practitioners polled—84 percent—use security questionnaires to assess their third parties’ cyber-security measures. But only 1 in 3 (34 percent) TPRM specialists actually believe the questionnaire responses they receive from third parties.
Remote assessments and cyber-security ratings are two ways to monitor risks among third parties without more expensive options like onsite assessments or penetration tests, which many third parties do not even allow anymore, White said.
Atul Vashistha, CEO of Supply Wisdom, a continuous risk management vendor, said keeping track of risks posed by third parties should be more than a once-a-year, once-a-quarter, or even a once-a-month endeavor.
“Risks are continuous,” he said, noting vulnerabilities in 2020 moved up and down in severity on a daily basis. “Threats are changing so rapidly that once a year does not do.”
Vashistha argues companies can monitor risks posed by their third parties on a daily basis by utilizing artificial intelligence and machine learning tools. In addition to cyber-security risks, these tools can also monitor other risk factors, like the financial health of third parties; whether they’re having management or employee churn; or are shedding customers. Cyber-security risks naturally escalate when a third party is in distress, he said.
The tools can constantly monitor whether third parties are regularly updating their computer software and issue an alert to the first party when it’s not being done. They work by continuously checking a third party’s digital footprint to monitor whether their web domain name is being spoofed; if employee passwords or sensitive data have made their way onto the dark web; and its expected resiliency against certain kinds of cyber-attacks, among other indicators.
As part of their training programs, some companies issue reminders and alerts for employees about cyber-security practices that require employees to read and acknowledge every week or month. These same alerts can be pushed out to the employees of third parties, assuming they took the same cyber-security training as first-party employees. (Requiring this is a good idea, by the way, Vashistha said).
Daily monitoring sounds time-consuming and labor-intensive, Vashistha said, and that may have been the case only a few years ago. But many vendors can measure a variety of risks within a company’s third parties and prioritize the red flags that need immediate attention. Some providers will even notify third parties about cyber-security lapses on a first party’s behalf and follow through to a resolution.
“Don’t waste the opportunity COVID has provided—it has elevated risk management,” Vashistha said. “Don’t continue to rely on practices of the past.”